BlackBerry BBM intercept - workarounds probable?

Quick post / question here.

This week has seen half the world's more paranoid and authoritarian countries make announcements about intercepting BlackBerry traffic. The main concern seems to be a belated recognition that the proprietary BBM IM service currently encrypted end-to-end from device to device - and in any case transits the RIM network and is processed in its data centres. Therefore unlike SMS traffic, it's not observable by the spooks - particularly those in countries without access to vaults-full of supercomputers.

It's conspicuous that RIM's announcements appear to have focused on damage-limitation in terms of any feares of its corporate customer base using BES/email service - whereas my read is that most of these governments are more worried about the new army of young BlackBerry *BIS* (Internet service) customers.

Presumably though, the fact that the data transits RIM's network is actually less of an issue than the fact that it's encrypted on the way.

Now, a question for BlackBerry developers: is there a BBM API on the handset in the new SDK and OS version? Because if so, presumably someone will just create a lightweight 3rd-party app front-end to BBM, which encrypts/decrypts everything locally? At which point it doesn't matter whether RIM routes the traffic to Canada or straight through the operator's core network, as it'll still look like gibberish. Come to think of it, the same app could probably do SMS crypto as well.

I have a feeling that this whole "interception" approach may backfire spectacularly on those governments trying to enforce it. This could just catalyse the whole market for private crypto solutions, not just on BlackBerries, but on all smartphones. Next up, massmarket encrypted voice - it's already available for BlackBerries for corporate usage.

It would be deeply ironic if such an authoritarian move prompted a huge shift which ultimately resulted in more privacy rather than less.

Edit - looks like the Bahrain government has a more realistic view of the situation

Device-specific data plans and policy management

There is currently a clear shift among some operators towards device-specific data plans. In many ways, this is not new – 3G modem data for PCs has often had different price points to handset dataplans, for example. This has enabled operators to pitch 3G dongles against DSL competitors, reflecting typical higher monthly usage and so on. It has also reflected the lack of a voice plan sold concurrently, lack of (or lower) device subscriptions and so on. There have also been dedicated BlackBerry plans for many operators, incorporating BES / BIS email connectivity, or just reflecting the specific deals cut with RIM.

But increasingly, data plans are becoming more granular still – a trend likely to continue as we gain new device form factors. iPhone and iPad plans are specific to those products – and easily enforceable (for now) through the use of MicroSIMs which cannot be swapped around. MiFi products, which are inherently multi-device tethers, may also be subject to different plans.

As an example, take 3UK

- iPad MicroSIM only plans: 1GB @ £7.50 / month or 10GB @ £15 / month [1-month rolling]

- Laptop SIM-only plan : 5GB @ £15 / month

- Handset SIM-only Internet plan : 1GB @ £5 / month (which also includes circuit-based Skype calling)

With new devices using prepay and non-subscription models, we can expect to see even more granularity – a navigation device might come with a year’s free traffic reports including data, while a camera might be bundled with 1000 wireless photo uploads. Add in plans which include or exclude WiFi or femto data, and it gets murkier still.

The interesting thing here is that, in essence, we are getting a sort of blurry policy management and mobile traffic management by the back door. Although the correlations are not perfect, typical iPhone usage is different to typical BlackBerry usage, or assorted other products. Less / more video, less / more social networking , less / more web browsing, more / fewer notifications and so on. It’s quite easy to skew the prices and tiers to favour the less network-hungry products – or implicitly reward manufacturers for creating “non-aggressive” devices that don’t hammer the RNCs with signalling traffic so much.

What’s less clear is whether prioritising *device types* traffic is the same in terms of Net Neutrality as prioritising *application types*. Is it fair, reasonable or legal to distinguish between them? Even if they are not dynamically prioritised, it could be possible to rate-limit them - for example peak speeds of 1Mbit/s download vs. 3MBit/s. Under absolute purist views on Net Neutrality, it would probably also fall foul of the strict rule-making. But as we perhaps move towards some more negotiated, nuanced, intermediate arrangements, this is one particular Devil that should be included in the detail.

It's certainly much easier to distinguish between device types than application types in the network.

There are also some interesting wrinkles about what happens when users SIM-swap. I already do this, putting my dongle SIM into a vanilla phone when roaming as the prices are better, and I’m never going to run my laptop over 3G in a foreign country under any circumstances. There are also interesting issues about what happens when new apps are released that change consumption profile – or a major OS/firmware upgrade. In other words, there’s a policy management and enforcement angle as well.

Definitely an area to watch.